I am using Sophos XG115 as the firewall and i do have a layer 3 switch (Unifi 8 port POE 60W switch) which leverages VLANS created & tagged at XG115.
Users in different VLANs want to connect to devices (e.g. Network Printer and Network Attached Storage device [TerraMaster]) located in another VLAN.
i have created a firewall rule which enables the communication between VLANS. I have also created DHCP records for each VLANs at XG115.
I am able to PING to the gateway addresses of each VLAN. Unfortunately, the trace route keeps on failing at the gateway address of LAN network port at XG11 5when trying to reach to devices in different VLANs.
Can someone help me in steps on what we should be adding or enabling to allow users in different VLANs to access the NAS and Printer?
Please note that users are on stand-alone Windows 10 devices. There is no active directory or LDAP integrations (i mean there is no Windows server).
Below is a diagram of the network. An early response is highly appreciated.
Hello, try source zone :lan , source network select all VLAN inside and the same for destination zone: LAN and destination network : all VLAN . move the rule set to the top position at the Intranet rulesets…
UJay In this scenario, you need to add static route in the firewall. For an IPv4 unicast route, go to Configure > Routing > Static Routing and click Add under IPv4 Unicast Route.https://docs.sophos.com/nsg/sophos-firewall/v17.1.4/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FUnicastRouteEdit.html%23Video link: https://www.youtube.com/watch?v=h-nu7tMfL_E
Hope this helps!
Thank & Regards,
If a post solves your question, use the 'Verify Answer' link.
I tried your suggestion and still unable to cross from one VLAN to another.
I am able to ping between gateways of each VLANs but not able to trace route or ping a specific IP address of device.
Do you forward all VLAN's to the XG or terminates the L3-Switch the VLAN and use a transfer-subnet to communicate with XG?
... where is the gefault gateway-IP for the VLAN's located .. at the Switch or at the XG?
If XG is the gateway - you don't need additional routes.
Would be helpful you post a screenshot of XG - interfaces-list.
and follow the suggestion from rfcat_vk:
" On the first rule try changing the any to LAN and enable logging so you can see what if any traffic is attempting to use the firewall rule. Also please make it the top of the rule list."
check the log-viewer...
BTW: are your clients able to access the internet?
Sophos Solution Partner since 2003 If a post solves your question, click the 'Verify Answer' link at this post.
... and a common error: check the IP/subnet-mask and gateway at the NAS!!
The default gateway IP for VLANs are located at XG.
I have done all steps rfact_vk has recommended and still no luck. When i try the POLICY TEST utility under LOG VIEWER,I can see it is picking up the first rule and getting passed as expected. But when i do a trace route, it fails.
Yes clients are able to access internet.
Below is a quick screen caption of interfaces.
you don't have any VLANs configured on your XG so there is no way for the traffic to get from one Vlan to the other unless you enable routing in your switch to configure Vlans on the XG.
i think he have the vlans under Port1.
you might be right, but that is a guess based on the blue line besides port 1. He was asked for his interface configuration.
Yes I do have VLANS and they are defined under Port 1 as xg-andy mentioned
After deleting and recreating the VLAN and Rule, i am now able to access the NAS by using the UNC path. I am not sure what was the issue which prevent access from the previous arrangements.
The firewall rule is same as screenshot displaying 40toLAN where Source LAN, ANY and then Destination LAN with ANY. As soon as I change ANY to specific VLANs, then i am unable to communicate with the NAS.
I don't want some VLANs to access NAS, hence need to find a way to prevent such VLANs accessing NAS. How do i achieve that?
You need to setup firewall rules LAN "VLAN Network" LAN any allow log. I suspect you are changing the ANY to the VLAN interface IP address rather than the VLAN IP network range.
Can you please give me an example to get a better understanding of your guidance?
VLAN interface 10.10.10.1/32 VLAN network 10.10.10.1/24
Quick update to you.
I was able to use this method and restrict access by unwanted devices. Thanks for your guidance.
At the moment i am using any for services but i want to restrict that to ports require for NAS (such as 445). I have tried with 445 and 137 as SMB ports, but no success.
The firewall at the NAS is disabled.